Wednesday, September 26, 2007

California Senator Joe Simitian's SB 362 - which would ban human implanting of RFID tags without consent - continues to get national attention. No word yet whether Governor Schwarzenegger will sign the landmark legislation, but every day that goes by the bill's relevance and need only becomes more apparent. The Detroit Free Press reports on the legislation, as well as similar actions being taken by other states concerned about the privacy implications of RFID implants.

It would be an interesting feature of an employee's first day: Sign a contract, fill out a W2 and roll up your sleeve for your microchip injection. Sounds like sci-fi, but it has happened, and now a handful of states are making sure their citizens never will be forced to have a microchip implanted under their skin.

If Gov. Arnold Schwarzenegger signs a bill passed this month, California would join Wisconsin and North Dakota in banning human implanting of the tags without consent. Lawmakers are calling the legislation preemptive; the industry that produces the technology calls the states' action fear mongering....State Sen. Joe Simitian, who authored the California bill, said he looked into RFID legislation after grade schools in Sutter County, Calif., required students to wear IDs containing the chips to help monitor attendance. The move prompted privacy complaints from parents, and the schools eventually stopped using the technology.

Simitian introduced four other RFID bills, dealing with criminal punishment for identity theft, security standards and use of the tags in driver's licenses and school IDs....Determined to show the security flaws to skeptics in the Legislature, Simitian asked a tech-savvy grad student from his office to build one. The student then wandered the state Capitol one day with the reader in his briefcase. In the process, he stole the security numbers of nine representatives. The reader could send out any of those numbers, getting him past any locked door a state senator could access. And he would appear as the senator in the electronic records.The four other Simitian RFID bills are currently inactive, but will be taken up by the Legislature again next session. To date, each has overwhelmingly passed every committee and floor vote they have faced. The real question will be whether the Governor will sign the bills when they reach his desk, or bow to industry pressure, as he is so apt to do. For more information on each, see SB 28, SB 29, SB 30, and SB 31.

In addition, the data gathered is "not simply your method of transit but the personal items you carry with you and the people you stay with, according to documents and statements obtained by the Washington Post. They even keep sometimes keep track of what books you read. For as long as 15 years...."The Automated Targeting System has been used to screen passengers since the mid-1990s, but the collection of data for it has been greatly expanded and automated since 2002, according to former DHS officials," the Post said. "The federal government is trying to build a surveillance society," said John Gilmore, a civil liberties activist in San Francisco whose records were requested and then first revealed in Wired News. The government, he said, "may be doing it with the best or worst of intentions. ... But the job of building a surveillance database and populating it with information about us is happening largely without our awareness and without our consent."

...

According to the Post, "The DHS database generally includes 'passenger name record' (PNR) information, as well as notes taken during secondary screenings of travelers. PNR data -- often provided to airlines and other companies when reservations are made -- routinely include names, addresses and credit-card information, as well as telephone and e-mail contact details, itineraries, hotel and rental car reservations, and even the type of bed requested in a hotel."

Monday, September 24, 2007

Most Americans are now aware that the government - with the willing participation of the telecom industry - has been illegally wiretapping tens of thousands of Americans without their knowledge or consent. Unfortunately, it gets worse. Newseek has just uncovered a secret lobbying campaign by the telecom industrydesigned to persuade congress to give them complete immunity for their breach of the public trust. When government and big business collude to invade our privacy and subvert the constitution, it's not an exaggeration to assert that our democracy itself is being fundamentally threatened. If successful, this would effectively kill the current private lawsuits filed against the companies that participated in the governments illegal program.

From Newsweek:

The nation’s biggest telecommunications companies, working closely with the White House, have mounted a secretive lobbying campaign to get Congress to quickly approve a measure wiping out all private lawsuits against them for assisting the U.S. intelligence community’s warrantless surveillance programs.

The campaign—which involves some of Washington’s most prominent lobbying and law firms—has taken on new urgency in recent weeks because of fears that a U.S. appellate court in San Francisco is poised to rule that the lawsuits should be allowed to proceed.

If that happens, the telecom companies say, they may be forced to terminate their cooperation with the U.S. intelligence community—or risk potentially crippling damage awards for allegedly turning over personal information about their customers to the government without a judicial warrant. It will take some courage from members of the house and senate to stand up to this assault on our privacy. Please contact your representatives in the House and Senate and let them know how you feel.

Friday, September 21, 2007

E-mails obtained by Network World show that Ameritrade received explicit and repeated warnings from an IT security expert starting Jan. 9, 2006 that its customer data had apparently been compromised, placing the start of the breach much earlier than previously reported and likely pushing it into 2005. Nevertheless, the company insisted for the next 20 months that a flood of stock-related spam being received by numerous clients was not indicative of a more serious problem.\...While Ameritrade insists that it was working diligently - and hiring specialists - to stem the flow of spam, all of those efforts proved ineffective until recently ... and customers remained in the dark. In August 2006, Fritsch tried again to warn Ameritrade - via e-mail and telephone - this time providing samples of the spam that was hitting his Ameritrade-only account. At this point it's clear that the matter has Ameritrade's attention, even if the company was not sharing those concerns with its client base....Fritsch had already sent what they were asking for, but he sent more, just to be helpful. Finally, near the end of August - again, this is 2006 - Fritsch received this e-mail from Ameritrade:

Joshua Fritsch,

We have received many headers from various client reports. At this time there is no need to continue to forward this information to TD AMERITRADE. We appreciate your cooperation in our investigation.

And another full year would pass before 6.2 million Ameritrade customers would learn that all that spam they had been getting was more than just spam.

The reality is we are fast approaching a genuine surveillance society in the United States - a dark future where our every move, our every transaction, our every communication is recorded, compiled, and stored away, ready to be examined and used against us by the authorities whenever they want. The ACLU has created this Surveillance Clock to symbolize just how close we are to a “midnight” of a genuine surveillance society. But it’s not too late - there is still time to save our privacy.

Answering the question as to why the ACLU would create such a clock, the site reads:

Surveillance is an urgent issue. That isn't always obvious amid the constant blur of new technologies and one-day privacy stories, but when you step back it is clear we are at a crucial moment for the future of privacy and freedom, in danger of tipping into a genuine surveillance society completely alien to American values. That is why the ACLU has made this new Surveillance Clock – to dramatize the urgent situation we face.

Amazing new technologies enter our lives at such a steady pace that we have gotten used to constant change – change that often comes to us wrapped in the promise (and often the reality) of pleasing new conveniences and efficiencies. Yet the dark side of new technologies is usually slower to emerge – and often builds in the shadows, without an advertising budget or corporate cheerleader to thrust it into public view.

It doesn't require some apocalyptic vision of American democracy being replaced by dictatorship to worry about a surveillance society. There is a lot of room for the United States to become a meaner, less open and less just place without any radical change in government. All that's required is the continuation of trends that have continued unimpeded in recent years:

Powerful new technologies

Weakening privacy laws

The "War on Terror"

Courts that are letting privacy rights slip away

A president who thinks he can ignore laws against warrantless spying on citizens

Big corporations willing to become extensions of the surveillance state

Tuesday, September 18, 2007

It's been a good week in the California Legislature for privacy protection advocates...and certainly for Assemblyman Dave Jones. As with AB 779 - Jones' data protection bill - AB 1168 has moved on to the Governor's desk. Jones website summarizes the bill as such:

AB 1168 - Protecting Social Security Numbers – Government agencies are releasing social security numbers, which can be used for identity theft. AB 1168 would protect consumers from identity theft by prohibiting local government agencies from releasing to the public records that contain more than the last four digits of a social security number. The bill would also require universities and colleges in California to truncate SSNs in their electronic student and employee records. Further, the bill would require the Franchise Tax Board to truncate SSNs on lien abstracts that it files as public documents. Finally, the bill would allow the Secretary of State’s office to stop certain financial documents from being filed with the office as public records if they contain any more than the last four digits of an SSN.The bill had passed the Assemblyon September 12th by a vote of 70 to 3, and was sent on to "enrollment" yesterday.It appears the Assembly has a privacy protection and consumer rights champion of its own in Dave Jones, ala. Joe Simitian in the Senate. For more on AB 779, watch this "Assembly Report" video.

Monday, September 17, 2007

A massive security breach - leaving millions of American vulnerable to greater identity theft - has TD Ameritrade Holding Corp. scrambling to explain how such a breach could happen, and why it allegedly took them so long to tell their customers that it had. According to the Associated Press:

Online brokerage TD Ameritrade Holding Corp. said Friday one of its databases was hacked and contact information for its more than 6.3 million customers was stolen. A spokeswoman for the Omaha-based company said more sensitive information in the same database, including Social Security numbers and account numbers, does not appear to have been taken. The company would not share many details of its investigation, including when the hack took place, because it is still looking into the theft and cooperating with investigators from the FBI, Securities and Exchange Commission, Financial Industry Regulatory Authority and local authorities.

But Ameritrade has known about the problem at least since late May when two of its customers sued the brokerage in federal court because they were receiving unwanted e-mail ads on accounts used only for Ameritrade.

The data on Ameritrade’s servers may have been vulnerable for an extended period of time dating back at least to last October, according to the lawsuit filed by lawyer Scott A. Kamber.The plaintiffs in the lawsuit had wanted the court to order Ameritrade to tell its customers about the data problem, but Ameritrade issued its release before a hearing could be held. The plaintiffs are also seeking damages and are trying to qualify as a class-action lawsuit.

END

The issue of data breaches, and corporate reluctance to inform their customers when one has occurred, relates to Friday's post detailing AB 779 (Jones), a bill awaiting Gov. Schwarzenegger's signature. If signed, the legislation would require retailers to reimburse financial institutions for the cost of fixing breached financial data, force greater disclosure of details about breaches, including a description of the categories of personal data that might have been compromised, and finally, it would explicitly prohibit retailers and other merchants from storing specific types of authentication data taken from the magnetic stripes on the back of credit and debit cards.

Privacy Rights Clearinghouse, PogoWasRight and Attrition.org all compile information on data breaches, which happen so frequently, they are becoming almost “too routine” news events. If anyone, who was has been affected by a data breach wants independent advice on what to do if you become an identity theft victim, the Privacy Rights Clearinghouse has a very informative page about this, here.

Friday, September 14, 2007

AB 779 (D-Dave Jones), which would require retailers to reimburse data breach-related costs to banks and credit unions is now one signature away from becoming state law. "The Consumer Data Protection Act" - endorsed enthusiastically by the Consumer Federation of California - overwhelmingly passed both the Senate and Assembly and now awaits the Governor's decision. Computerworld reports:

Analysts expect the California bill, if signed into law by Schwarzenegger, to have the same ripple effect on data breach laws as the state's data breach notification law. That law was one of the first such notification laws in the country and has been adopted and imitated in one form or the other by several other states.

The measure now pending was sponsored by the California Credit Union League (CCUL). In its original form, the bill mandated that a breached entity reimburse affected banks and credit unions for all costs incurred when alerting customers of the breach and reissuing cards. Retailers would be forced to disclose more details about breaches, including a description of the categories of personal data that might have been compromised. In addition, the law would also explicitly prohibit retailers and other merchants from storing specific types of authentication data taken from the magnetic stripes on the back of credit and debit cards.

Take, for example, Time Warner Cable, which has about 2 million customers in Southern California. The company offers a voice-video-Net package called "All the Best" for $89.85 for the first 12 months. But for anyone who has the wherewithal to read Time Warner's 3,000-word California privacy policy, you discover that not only does the company have the ability to know what you watch on TV and whom you call, but also that it can track your online activities, including sites you visit and stuff you buy.

Remember all the fuss when it was revealed last year that Google Inc. kept voluminous records of people's Web searches, and that federal authorities were demanding a peek under the hood? Multiply that privacy threat by three. Internet, TV, phone -- it's hard to imagine a more revealing glimpse of your private life.

"All your eggs are in one communications basket," said Beth Givens, director of the Privacy Rights Clearinghouse in San Diego. "If a company wants to, it can learn a great deal about you -- and it probably wants to."More often than not, it'll also want to turn a fast buck by selling at least a portion of that info to marketers.

…

There are red flags to be found in each telecom provider's privacy policy. A close reading of Time Warner's policy reveals:* Along with knowing juicy details of your calling and viewing habits -- those 900 numbers, say, or that subscription to the Playboy Channel -- the company keeps track of "Internet addresses you contact and the duration of your visits to such addresses."* Time Warner not only compiles "information about how often and how long" you're online, but also "purchases that you have made" via the company's Road Runner portal, which provides access to thousands of goods.*

On top of that, the company may monitor "information you publish" via the Road Runner portal, which should send a chill through anyone who accesses his or her e-mail through Time Warner's servers. That's not to say Time Warner or any other service provider is reading people's e-mail or invading users' privacy in any other way. The point is, they're explicitly saying they could.

…

Time Warner requires customers to opt out in writing. Its privacy policy doesn't include a mailing address. Telecom giant AT&T offers a TV service called U-Verse, which includes high-speed Internet access in conjunction with Yahoo Inc. The company's privacy policy says it tracks "pages you view, how much time you spend on each page, the links you click and other actions taken" when visiting AT&T Yahoo sites. It also says AT&T compiles info on "viewing, game, recording and other navigation choices that you and those in your household make" when using the company's TV services.

…

Despite the obstacles, consumers should be diligent about trying to opt out of service providers being able to share personal data. There's not much else you can do."We're a bit closer to the Orwellian '1984,' " said Givens at the Privacy Rights Clearinghouse. "But that was a government eye, and this is a corporate eye." At least you don't have to worry about these companies knowing things about you after you take your business elsewhere, right?

Wrong.

If this is indeed the future, I'd highly suggest readers check out this article and keep an eye on the way in which technology and privacy continue to intersect. David Lazarus is one reporter you can be sure will do a good job covering this ever developing issue.

For the sixth year in a row, identity theft tops the annual list of consumer complaints collected by the Federal Trade Commission....Within the last twelve months, 9.3 million Americans were victims of identity theft. The mean resolution time is at a high of 40 hours per victim in 2006 compared to 28 hours in 2005. In fact, it can sometimes take years of frustrating effort to geteverything back to normal. These figures indicate a crime that is spinning out of control.

...

...identity theft is still primarily a crime of opportunity, so become a hard target.

If you carry a wallet or purse, photocopy the contents. Copy both sides of each license, credit card, insurance card, etc. Put the photocopy away in a safe place. If your wallet should be stolen, you will have a record of everything that was in it,including account numbers and the phone numbers needed to call and cancel them. Also, do not carry your social security card or give out your number.

When the U.S. Food and Drug Administration approved implanting microchips in humans, the manufacturer said it would save lives, letting doctors scan the tiny transponders to access patients' medical records almost instantly. The FDA found "reasonable assurance" the device was safe, and a sub-agency even called it one of 2005's top "innovative technologies."

But neither the company nor the regulators publicly mentioned this: A series of veterinary and toxicology studies, dating to the mid-1990s, stated that chip implants had "induced" malignant tumors in some lab mice and rats.

...

"There's no way in the world, having read this information, that I would have one of those chips implanted in my skin, or in one of my family members," said Dr. Robert Benezra, head of the Cancer Biology Genetics Program at the Memorial Sloan-Kettering Cancer Center in New York.

These studies lead me to ask one simple question: "What did the U.S. Food and Drug Administration (FDA) know about these findings and when did they know it?" And, did they know it before approving their use for humans? We’re waiting for an answer FDA…

The ban on coerced implantations of RFID chips, introduced by state Sen. Joe Simitian, is not the first RFID legislation to hit Schwarzenegger's desk. In October 2006, Schwarzenegger vetoed a separate bill proposed by Simitian that was designed to limit the use of RFID in state and local documents.

At the time, Schwarzenegger said he was "concerned that that the potential law's provisions [were] overbroad and may unduly burden the numerous beneficial new applications of contactless technology." He pointed to two areas of concern—that early legislation might limit innovation, and that the federal government, under the Real ID Act, had not yet released new technology standards for government ID cards. Any legislation from California, he said, could impose requirements that would contradict federal mandates.

...

The REAL ID Act, attached as a rider on a military spending bill, was signed into law in 2005. It stipulates that all states must redesign their driver's licenses by 2008 to include a common machine-readable technology, a move many say signals the advent of a national RFID-chipped identification card. In March, after months of wrangling and anti-RFID protests from states, the Department of Homeland Security released its proposed regulations for Real ID. The preliminary regs—a good indication of the final regulations, due any time—call for states to utilize 2-D bar-code technology rather than RFID.

With the Real ID question out of the way, a major part of Simitian's battle to get this latest bill signed is put to rest. But there is still the question of squelching innovation that Schwarzenegger raised earlier. Those innovation concerns are not addressed in Simitian's bill, but in separate bills that are still in California's assembly.

"This is one of five bills I have dealing with the use of RFID technology," said Simitian, in Sacramento, Calif. "As a Silicon Valley legislator [I believe] the technology is great, but you have to be thoughtful of when and where you use it."

...

"We have put much of our effort into getting California to pass this legislation," Tim Sparapani, legislative council for the national ACLU office, in Washington, said in a September 2006 interview with eWEEK. "We think the bill draws the right tines. RFID can be incredibly useful when shipping certain goods, but not when used to track people."

Details on the other RFID bills Senator Simitian has authored currently working their way through the legislature include: SB 28 and 29 (to be voted on any day now), which would impose a three-year moratorium on the use of the technology in California driver’s licenses and in public school ID cards. SB 30 would create interim privacy safeguards for any existing RFID-enabled government IDs, such as those used by students in the state college system. SB 31 (won't be heard until next year) would make it a crime to “skim,” or surreptitiously read, data from an RFID document without the knowledge and consent of the ID holder.

Pfizer Inc. disclosed a new data breach at the company that exposed as many as 34,000 employees to potential identity fraud.

As with the first two security breaches, Pfizer withheld the rather important news that employees identities had been exposed for months before coming clean. Apparently, Pfizer's motto is "better late than never"...even when it comes to the potential identity theft of their workers.

Congress has banned this type of program with good reason: It rates the potential for terrorism of every traveler and violates every American’s right to privacy,” said Barry Steinhardt, director of the ACLU Technology and Liberty Program. “The judgments about Americans calculated by ATS-P will be stored for years, and we have no idea how they may be used in the future. The benefit to the government is extremely questionable, but the consequences for Americans are simply dangerous.”

A federal judge scolded the Bush administration Wednesday for its continued refusal to release records related to its warrantless wiretapping program. Apparently to the White House, the Freedom of Information Act - as with the Geneva Conventions - has been rendered "quaint". The New York Times reports:

''While the court is certainly sensitive to the government's need to protect classified information and its deliberative processes, essentially declaring 'because we say so' is an inadequate'' defense, Kennedy wrote....The FBI, Kennedy said, has not explained what type of documents were being withheld, how many records it had and why each document is exempt from public records laws. ''Instead, FBI relies on vague, broad, wholesale claims of exempt status,'' Kennedy wrote.

The culprit here is the culture of privacy that we have allowed to pervade certain areas of life, especially health and education. We have done this even as we have relied on openness to lead us into enormous change in other social realms.

But Fisher has a binary argument--it's either privacy or safety, a false dichotomy. The Christian Science Monitor editorializes that both can be served through the proper balance, serving both legal obligations:

Lack of understanding about federal and state laws is a major obstacle to helping such students, according to the report. The legal complexity, as well as concerns about liability, can easily push teachers, administrators, police, and mental-health workers into a "default" position of withholding information, the report found.

There's no evidence that VT officials consciously decided not to inform Mr. Cho's parents. But the university's lawyer told the panel investigating Cho's case that privacy laws prevent sharing information such as that relating to Cho.

That's simply not true. The report listed several steps that could quite legally have been taken: The Virginia Tech police, for instance, could have shared with Cho's parents that he was temporarily detained, pending a hearing to commit him involuntarily to a mental-health institution, because that information was public.

And teachers and administrators could have called Cho's parents to notify them of his difficulties, because only student records – not personal observations or conversations – are shielded by the federal privacy law that covers most secondary schools.

Notifying Cho's parents was intuitively the right course. Indeed, his middle school contacted his parents to get him help, and they cooperated. His high school also made special arrangements. He improved.

The report points out that the main federal privacy laws that apply to a college student's health and campus records recognize exceptions for information sharing in emergencies that affect public health and safety.

Privacy is a bedrock of American law and values. In a mental-health case, it gives a patient the security to express innermost thoughts, and protects that person from discrimination. But the federal law, at least, does recognize a balance between privacy and public safety, even when colleges can't, or won't.

The official report on the tragedy makes it very clear that those involved failed to properly apply privacy laws, which did allow them to share Cho's personal information and did allow them to take action. Canadian privacy laws similarly allow disclosure and action in such cases and privacy is not to blame for this tragedy.

Tuesday, September 4, 2007

And, despite Big Brotherish talk about knowing what choices people will be making tomorrow, Google has not betrayed the trust of its users over their privacy. If anything, it has been better than its rivals in standing up to prying governments in both America and China.

That said, conflicts of interest will become inevitable—especially with privacy. Google in effect controls a dial that, as it sells ever more services to you, could move in two directions. Set to one side, Google could voluntarily destroy very quickly any user data that it collects. That would assure privacy, but it would limit Google's profits from selling to advertisers information about what you are doing, and make those services less useful. If the dial is set to the other side and Google hangs on to the information, the services will be more useful, but some dreadful intrusions into privacy could occur.

The article is justified in its wariness over Google's data retention, but though the company may not have actively invaded its users' privacy, that's not to say privacy concerns over cookies, Street View, and behavioral marketing considerations are unwarranted and limited to the tin-foil hat-wearing crowd.

OK, so the system of employer-sponsored health care is disappearing. And pensions sure aren't what they used to be, either.

But the workers of California can breathe easy about one thing today, at least: the state Legislature has made it illegal for employers to implant identification devices in their skin.

If it sounds like your worst nightmare, that's because it is. The eyelash-sized devices can be used by employers to identify workers simply by passing a scanner over the implanted body part. At least one employer - CityWatcher.com, a Cincinnati video surveillance company - has already done this with two of its employees. With about 2,000 people already implanted with the devices, who's to say it wouldn't become an ordinary requirement for employment? After all, every employer wants to make sure that his or her employees are where - and who - they say they are.

State Sen. Joe Simitian, D-Palo Alto, was the first to recognize the obvious potential for abuse in this scenario. Amazingly, he met with resistance from nine senators, one of whom, Bob Margett, R-Arcadia, said that because the scenario hadn't proved a problem yet, outlawing it seemed unnecessary. Huh? Since when did privacy become unnecessary? We're glad to see that Simitian's other colleagues understood the ethical necessity of stopping a bad practice before it got out of control.

PRIVACY REVOLT! tackles the issues at the intersection of civil liberties and technology, with news and commentary on government and corporate surveillance, identity theft, data brokers, tracking devices, and the security of consumers' financial, medical, and phone records.

Privacy Bill List

We provide tracking and analysis of the most important privacy bills moving through the California state legislature.